Bitdefender finds cracks in Apple's walled garden

Andrew Brandt is the director of threat research at Blue Coat. He's also the victim of an aggressive advertising mobile app.

A few months ago, the Android enthusiast downloaded a game promoted by Amazon as the free app of the day. "I didn't really think anything of it, but after I ran the game, strange things started happening on my phone," he explained via email.

For example, notifications began appearing for things not installed on his phone. "Then within about 30 minutes of installing, playing, and then putting the phone away, I received a text message confirmation that I had subscribed to some sort of paid SMS service for $5.99 a month," he said.

"Of course, I hadn't subscribed to the service," he said. "In fact, I hadn't even sent an SMS message myself the entire day."

What happened? Brandt had given the app permission to send SMS messages when he installed it -- ostensibly, so he could share high-scores and other content about the game with friends and other players. But the app abused the privilege and sent an SMS message, using a method outside the normal messaging app on the phone to auto-subscribe him to the premium service.

Brandt's case was quickly remedied by his carrier and Amazon immediately pulled the app from its online store. But the problem of mobile apps sticking their binary noses where they ought not to is growing. And according to a study by Bitdefender, it's an affliction significantly affecting both the Android and iOS worlds.

After analyzing more than half a million free apps on both platforms over the last year, Bitdefender found "applications are equally invasive and curious on iOS as on Android, even though one may argue that one of the operating systems is safer."

The study suggests that the "Walled Garden" Apple has erected around its mobile ecosystem may have some cracks in it. "Surprisingly enough, iOS applications matched the ones written for Android," Bogdan Botezatu, a senior e-threat analyst with Bitdefender, said in an email.

"Advertisers' main goal is getting hold of user data regardless of platform, and would often go as far as the platform allows them to go," he said.

For instance, more than 45% of iOS apps contain location-tracking capabilities, compared to about 35% for Android apps, the study noted.

Bitdefender found that 7.69% of Android apps could access contacts stored on a phone, and 18.92% of iOS apps did the same thing.

Although a portion of the Android apps could leak device IDs, email addresses and phone numbers, Apple has plugged those holes in its ecosystem.

About 15% of Android apps may leak device IDs about a handset, the Bitdefender study said, while almost six percent may leak email and more than eight percent may leak phone numbers.

While iOS apps could technically leak device IDs, emails and phone numbers, Bitdefender's Botezatu explained, Apple routinely rejects such apps when it reviews them for suitability for its app store.

"Apple has had long-standing, strict policies in place," Jeremy Linden, a security product manager for Lookout, said in an email. "While Google Play has policies regarding ad behavior, they aren't as rigorous as Apple's."

In addition, Apple intensely enforces its policies. "Apps have to be reviewed before they are published," Linden explained. "This makes publishing an iOS app more cumbersome, but does help enforce some of the policies Apple sets."

Apple did not respond to a request for comment.

According to TrendMicro, almost one in four mobile Android apps contains malware or the kind of premium subscription scam that infected Brandt's phone. "Those apps not only exfiltrates your credentials, but [can] send text messages and access websites that you get billed for through your telco provider," Tom Kellermann, vice president of Cyber Security for Trend Micro, said in an interview.

"It's a great way to milk someone," he continued, "because they've downloaded an app that, unbeknownst to them, steals their credentials and contacts lists and forces them to use premium services."

Although the use of aggressive adware is a growing problem in the mobile world, it isn't new. "It's a problem that's been around forever," Dirk Sigurdson, director of engineering for Rapid7's Mobilisafe , said in an interview. "PCs have always had this problem, as well. Adware has always collected information from users to tailor ads for them.

"At least with mobile, you can see what your apps are accessing," he added.

Latest Videos

Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.